/^/
EasySecurity2 min read

CVV / CVC Code Regex

Validates a card verification value (CVV/CVC/CID) as exactly three or four digits, matching the security code formats used by Visa, Mastercard, and American Express.

#cvv#cvc#credit-card#payment#security#validation#regex

Regex Pattern

^[0-9]{3,4}$

Pattern Breakdown

Hover over a token to see what it does.

^[0-9]{3,4}$
TokenMeaning
^Anchors the match to the start of the string
[0-9]{3,4}Exactly three or four digit characters, covering both the common 3-digit CVV/CVC and the 4-digit American Express CID
$Anchors the match to the end of the string

Detailed Explanation

What it does

This pattern checks that a string consists of exactly 3 or 4 numeric digits and nothing else, matching the length of the security code printed on the back of most cards (3 digits) or the front of American Express cards (4 digits).

Why it works

The character class [0-9] restricts each position to a single digit, and the bounded quantifier {3,4} allows either length without permitting shorter or longer runs. Anchoring with ^ and $ ensures the entire input is exactly 3 or 4 digits, rejecting extra characters such as spaces, letters, or additional digits that might indicate a pasted card number instead of a CVV.

Common use cases

  • Validating the CVV/CVC input field in a checkout or payment form before submission
  • Client-side sanity checks to give immediate feedback on obviously malformed security codes
  • Masking or redacting CVV-shaped values in logs to avoid storing sensitive payment data
  • Distinguishing a 3-digit Visa/Mastercard CVC field from a 4-digit American Express CID field in dynamic form logic

Edge cases

  • A 3-digit code like '123' and a 4-digit code like '1234' are both accepted since the quantifier allows either length
  • A code with a leading zero, such as '012', is valid since CVVs are treated as strings of digits, not numeric values
  • Codes shorter than 3 digits ('12') or longer than 4 ('12345') are correctly rejected
  • Non-numeric input, including letters or symbols, is rejected entirely by the [0-9] character class

Limitations

  • Does not verify that the code actually matches the card on file; that check can only be performed by the card network or payment processor
  • Does not know which card brand the input belongs to, so it cannot enforce '3 digits for Visa/Mastercard, 4 digits for Amex' without the card number available for cross-reference
  • CVV values should never be stored after authorization per PCI DSS; this pattern is for format validation only, not for persistence guidance
  • Does not strip whitespace; a value like ' 123' with a leading space will fail and should be trimmed before validation

Interactive Tester

Edit the pattern or text below — matching runs live in your browser.

123 1234 000

Test Cases

Editable — add your own inputs to see if they pass.

InputExpectedResult
Pass
Pass
Pass
Pass
Pass
Pass
Pass

Language Variants

Production-ready examples in 12 languages.

const cvvRegex = /^[0-9]{3,4}$/;
console.log(cvvRegex.test('123')); // true

Common Mistakes

Only accepting 3-digit codes, which rejects legitimate 4-digit American Express CID values

Fix: Use a bounded quantifier like {3,4} so both common CVV lengths are accepted

Not trimming whitespace before validation, causing a copy-pasted value like ' 123 ' to fail

Fix: Trim the input string before running it through the CVV regex

Logging or storing the raw CVV value alongside other card data for debugging

Fix: Never persist CVV values after authorization; validate the format in memory only and discard it, per PCI DSS requirements

Performance Notes

  • A bounded digit-only character class with a small quantifier range is one of the fastest possible regex shapes, with strictly linear-time matching
  • No backtracking risk exists since every character either matches [0-9] or the match fails immediately
  • For form fields, combining this regex with an HTML inputmode='numeric' or maxlength attribute reduces invalid submissions before validation even runs

Browser Compatibility

EngineSupportedNotes
ChromeYes
FirefoxYes
SafariYes
EdgeYes
Node.jsYes